# Self-contained image for offline / CI scanning.
# Python 3.13 (GuardDog's pygit2 has no 3.14 wheel). Installing the package pulls
# the core engines (Semgrep + GuardDog) as dependencies. malcontent (--with-malcontent)
# is an optional Go binary and is intentionally not bundled.
FROM python:3.13-slim

LABEL org.opencontainers.image.title="malware-detector" \
      org.opencontainers.image.description="Multi-language malware detector (JS/TS/Python/PHP)" \
      org.opencontainers.image.licenses="MIT"

WORKDIR /app
COPY . /app
RUN pip install --no-cache-dir . && rm -rf /root/.cache

# Run as non-root against a read-only mount of the target repo.
RUN useradd --create-home scanner
USER scanner
WORKDIR /scan

ENTRYPOINT ["malware-detector"]
CMD ["scan", "."]
